Now that we are within a month of the RSA conference, the security diaspora must prepare itself for a cacophony of hyperbole around three industry initiatives: Secure Access Service Edge (SASE), eXtended Detection and Response (XDR), and zero trust.
Yup, all three areas are innovative and extremely promising, but a bit overwhelming as well. Look for more from me on SASE and zero trust in the coming weeks. For now, we'll focus on XDR.
ESG research indicates that 83% of organizations will increase threat detection/response spending in 2021—a clear indication that current tools and techniques are inadequate. XDR could capitalize on this market demand but only if vendors can cut through industry embellishment and really connect with security professionals. Look for XDR vendors’ need to come to virtual RSA with clear communications around:
- The definition of XDR. According to ESG research, only 24% of security professionals claim to be “very familiar” with the technology concepts associated with XDR. Maybe it’s me, but I don’t think you’ll be very successful when three-quarters of your customers are confused about what you are trying to sell them. The problem here is that XDR is more of an architecture (think security operations and analytics platform architecture or SOAPA) than a product, and architectures are kind of squishy compared to products. Additionally, XDR comes in several flavors including controls-based (i.e., EDR + NDR + other), management plane-based, open XDR, software overlay, etc. There is a pressing need for frank and detailed market education. The RSA conference is a good place to start.
- Algorithm unveiling. One of the key value propositions around XDR is its analytics superiority over existing threat detection technologies. The theory is that XDR collects and processes telemetry from individual tools and somehow munges all this data together to come up with more timely, accurate, and comprehensive threat detection. Sounds good, but skeptical security pros have heard this before (UEBA comes to mind). XDR vendors must get beyond theory and get into the data science weeds—at least a bit. Remember that threat detection accuracy is the key here. Streamlining security operations is also important but not if XDR makes operations easier while being blind to sophisticated multi-staged attacks.
- Implementation guidance. This is really a challenge for controls-based XDR vendors. A unified security technology architecture makes intuitive sense, but it is a horse of a different color compared to the best-of-breed point tools many enterprise organizations use for threat detection and response today. Where should users start? How do they integrate tools over time? How do they retain custom rule sets and the experience they have today without starting over with XDR? XDR vendors should not bother to show up at the RSA conference without appropriate reference architectures, case studies, and training guidelines for prospective customers.
- Security operations models. We have heard a lot about what XDR can do but far less about how a security operations team should interact with the products. How do they triage alerts? How do they investigate high-priority alerts? How do they automate response actions? How do XDR tools work with ITSM systems? At the RSA conference, XDR vendors must be prepared to demonstrate that their wares can support all security operations processes AND provide a superior alternative to the status quo.
- The data dilemma. The vision for XDR is a turnkey SOAPA that eventually replaces the anchor of security operations: security information and event management (SIEM). I get it, but SIEM systems are data management superstars, built on a complex network of collectors, forwarders, indexers, messaging buses, etc., and regularly collecting, processing, and analyzing terabytes of data daily. ESG research indicates there is a lot of ongoing security data management activity, large organizations are already investing in areas like stream processing/analytics and adding new data sources (including more threat intelligence sources) into the data pipeline. In my discussions with security operations teams at large enterprises, they are most cynical about XDR techology’s ability to handle a multi-terabyte data pipeline. XDR vendors have done a lot of arm waving about data management. Now they need to get more specific at RSA.
- Third-party integration. We all get that big security technology vendors want to sell their customers the whole XDR enchilada, but that is a very tall order. One CISO who went with an open software overlay XDR solution told me, “XDR vendors assume I will standardize on their solution by replacing my EDR, NDR, and SIEM with their products. My problem is that I have one of everything, meaning several flavors of EDR, NDR, and even SIEM. Replacing all these piece parts is simply unrealistic.” This situation is commonplace, meaning that every XDR vendor must play nice with others. Reasonable XDR vendors will come to the RSA conference with a full slate of integration options, including APIs, custom connectors, partnerships, etc. I would like to see the whole XDR community go further and establish standard ways to interoperate. This was part of my original SOAPA vision in 2016, so better late than never.
- Cloud visibility. When asked where they would like to start an XDR project, the largest percentage (43%) of respondents said, “By implementing an XDR solution with threat detection and response capabilities for cloud-based workloads and SaaS.” This surprised us, as we thought that XDR projects would likely begin by replacing EDR or NDR. What does this mean? Cloud visibility is a scary blind spot for many organizations. To address this, XDR vendors should be willing to discuss all the disparate cloud data they collect, process, analyze, and visualize. Oh, and it is also important that they can contextualize all the cloud data as part of a cyber kill chain that spans across endpoints, networks, servers, services, and the entire hybrid IT infrastructure.
- Identity affinity. In talking to lots of early XDR adopters, my colleague Dave Gruber and I have heard a common refrain: XDR often misses the human element of cyber-attacks, lacking adequate integration with authentication, network directories, and IAM This is especially true with organizations using a wide assortment of SaaS applications and those with lots of developers banging away at new types of cloud application development tools. Hmm, quite ironic since the last time the industry was gaga over new security operations technology, it was with user and entity behavior analytics (UEBA). UEBA centered around users while XDR focuses on technologies. At the RSA conference, vendors must be ready to address the fact that users are clearly saying they need both.
Organizations clearly need threat detection and response help and are willing to be open minded about XDR. That said, CISOs understand how complex this problem is. Vendors should come to the RSA conference prepared to have an honest conversation of where XDR is today, how it fits into security operations technologies and processes, and how it evolves over time.